Understanding and Mitigating the Citrix Bleed 2 Vulnerability

Alex Cipher Jun 28, 2025 5 min read

The Citrix Bleed 2 vulnerability, officially known as CVE-2025-5777, has emerged as a critical threat to organizations utilizing Citrix NetScaler ADC and Gateway devices. This flaw, characterized by an out-of-bounds memory read, allows attackers to access sensitive data such as session tokens and credentials, potentially leading to severe security breaches. With a CVSS score of 9.3, the vulnerability underscores the urgent need for organizations to implement robust security measures. The vulnerability’s exploitation has been observed in the wild, with attackers bypassing multi-factor authentication and conducting reconnaissance on Active Directory environments. As cybersecurity experts like Kevin Beaumont have noted, the flaw’s potential impact is reminiscent of the original Citrix Bleed crisis, necessitating immediate attention and action from affected organizations.

Overview of the Citrix Bleed 2 Vulnerability

Nature of the Vulnerability

The Citrix Bleed 2 vulnerability, officially tracked as CVE-2025-5777, is a critical security flaw found in Citrix NetScaler ADC and Gateway devices. This vulnerability is characterized by an out-of-bounds memory read, which allows unauthenticated attackers to access sensitive portions of memory that are typically protected. The flaw enables attackers to steal session tokens, credentials, and other sensitive data, potentially leading to session hijacking and bypassing multi-factor authentication (MFA). The vulnerability has been likened to the original Citrix Bleed (CVE-2023-4966) due to its similar nature and potential impact.

Exploitation and Impact

The exploitation of Citrix Bleed 2 is currently assessed with medium confidence by cybersecurity firm ReliaQuest, which indicates that attackers are actively leveraging this vulnerability to gain unauthorized access to targeted environments. The vulnerability’s critical nature is underscored by its CVSS score of 9.3, highlighting the severe risk it poses to affected systems. The flaw’s exploitation can result in unauthorized access to sensitive data, session hijacking, and potential breaches of organizational networks.

Observations from Attacks

Recent observations from actual attacks have revealed several indicators of compromise associated with the exploitation of Citrix Bleed 2. These include:

Hijacked Citrix Web Sessions: Attackers have been observed bypassing MFA by using stolen session tokens, allowing them to gain access without user interaction.
Session Reuse Across IP Addresses: Attackers have reused the same Citrix session across both legitimate and suspicious IP addresses, indicating session hijacking and replay from unauthorized sources.
Active Directory Reconnaissance: After gaining access, attackers have initiated LDAP queries to perform reconnaissance on Active Directory, mapping users, groups, and permissions.
Domain Reconnaissance: Multiple instances of ADExplorer64.exe have been run across systems, indicating coordinated domain reconnaissance and connection attempts to various domain controllers.
Use of Consumer VPN Providers: Citrix sessions have originated from data center IPs associated with consumer VPN providers, suggesting attacker obfuscation via anonymized infrastructure.

Mitigation Strategies

To protect against the exploitation of Citrix Bleed 2, organizations are advised to implement several mitigation strategies. These include:

Immediate Patching: Organizations running vulnerable NetScaler devices should immediately apply the latest patches to remediate the vulnerability. Citrix has released updates for versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+.
Termination of Active Sessions: After installing the latest firmware, administrators should terminate all active ICA and PCoIP sessions, as they may have already been hijacked. This can be done using the commands kill icaconnection -all and kill pcoipconnection -all.
Review of Active Sessions: Before terminating active sessions, administrators should review them for suspicious activity using the show icaconnection command and NetScaler Gateway > PCoIP > Connections.
Limiting External Access: If immediate installation of security updates is not possible, it is recommended to limit external access to NetScaler via network ACLs or firewall rules.

Broader Industry Impact

The Citrix Bleed 2 vulnerability marks the second major Citrix vulnerability under active exploitation within a short period, following CVE-2025-6543. This pattern mirrors the 2023 Citrix Bleed campaign, which was extensively exploited by ransomware groups and state-sponsored actors. With tens of thousands of vulnerable devices exposed, security experts warn that Citrix Bleed 2 could trigger another wave of high-profile breaches. Organizations are urged to prioritize immediate patching and implement additional monitoring for unusual session activity, particularly authentication from unexpected IP addresses or rapid session reuse patterns.

Security Research and Recommendations

Security researchers, including Kevin Beaumont, who coined the “Citrix Bleed 2” moniker, have highlighted the critical nature of this vulnerability. The flaw stems from insufficient input validation in Citrix NetScaler ADC and Gateway devices, leading to an out-of-bounds memory read. This allows unauthorized attackers to grab valid session tokens from the memory of internet-facing NetScaler devices by sending a malformed request.

Benjamin Harris, CEO at watchTowr, has noted that while no active exploitation has been observed thus far, the vulnerability needs to be carefully monitored. The risk associated with Citrix Bleed 2 is considered to be on par with the original Citrix Bleed crisis, which caused significant disruption in 2023. Security experts strongly recommend organizations to patch the vulnerability immediately to prevent potential exploitation.

Conclusion

The Citrix Bleed 2 vulnerability represents a significant security risk for organizations using Citrix NetScaler ADC and Gateway devices. With evidence of active exploitation and the potential for widespread impact, it is crucial for organizations to take immediate action to mitigate the risk. By applying the latest patches, terminating active sessions, and implementing additional security measures, organizations can protect themselves from the potential consequences of this critical vulnerability.

Final Thoughts

The Citrix Bleed 2 vulnerability represents a significant challenge for cybersecurity professionals and organizations alike. With active exploitation already underway, the need for immediate patching and vigilant monitoring cannot be overstated. The lessons learned from the original Citrix Bleed crisis in 2023 serve as a stark reminder of the potential consequences of inaction. By prioritizing security updates and implementing comprehensive mitigation strategies, organizations can protect themselves from the potentially devastating impacts of this vulnerability. As the cybersecurity landscape continues to evolve, staying informed and proactive remains crucial in safeguarding sensitive data and maintaining organizational integrity.

References

Critical Citrix Bleed 2 flaw now likely exploited in attacks, 2025, BleepingComputer https://www.bleepingcomputer.com/news/security/critical-citrix-bleed-2-flaw-now-likely-exploited-in-attacks/
Citrix Bleed 2 vulnerability now under active exploitation, 2025, Cyber Kendra https://www.cyberkendra.com/2025/06/citrix-bleed-2-vulnerability-now-under.html